We have a .Net application that is used for editing/rendering customized HTML documents. It is hosted in IE using the AxSHDocVw.AxWebBrowser controls. We proceed with navigating to "about:blank" page initially then we change the Document by writing our custom values into it. The problem we are facing is the call to IHTMLTxtRange.execCommand("Copy",false,null) is failing if we don't enable the IE Security Settings in the Internet Security zone (Scripting->Allow Programmatic Access to Clipboard ).
In order to bypass the security setting ,I tried to point to a local html file initially while navigating. But this fails as soon as I modify the Document.
I want to use the IHTMLTxtRange.execCommand("Copy",false,null) command so that I can customize our Copy/Paste operations.
Is there any other way I can do this.
Please share your ideas inorder to overcome this situation.
Thanks.
Sriram
Try implement IInternetSecurityManager on your webbrowser control host, handle URLACTION_SCRIPT_PASTE in ProcessUrlAction.
Note there is a bug in earlier versions of IE that causes the webbrowser to ignore host's URLACTION_SCRIPT_PASTE handling.
As far as I know, there is no way to do that without user permission. Its a security/privacy loophole to allow access to clipboard, and its natural that browsers are protective about it.
You have already tried out ActiveX, and it doesn't work
With Flash, you can interact with system clipboard - but only if its a part of an event handler. See Flash Player 10 Security.
Javascript doesn't expose a way to access the clipboard.
Not sure about silverlight, but I am guessing it would also restrict access to clipboard.
In short, the user has to explicitly give your application/website permission to access clipboard.
Related
I was wondering if it's possible to capture a screenshot and/or record my computer screen(s) via a website?
If it is possible, what languages would I need to learn/code? I already have intermediate knowledge of HTML, CSS, JavaScript, jQuery, and PHP.
In other words: I want to have the ability to capture/record my screen (not the website) via using a website (not an application).
Thanks!
This is not possible. Web sites are very deliberately given only restricted access to your computer for security reasons. Imagine the havoc that could result if a malicious web site were able to see and capture what was on your screen--banking information, your confidential e-mails, etc. Even if the user had to give permission for this level of access, it would still be way too easy to trick a user into giving that permission.
The closest I could find/think of was http://www.screencast-o-matic.com/screen_recorder, but even then you have to download a launch plugin. I agree with #DLH. This is for your protection.
My favorite screen recorder is ScreenPresso - it is always running in background, and repurposed the PrtScn button as its launch key.
I know its a security feature in IE to not allow scripts to interact past frame tags/objects but is there a way around this?
I am using a program to interact with the IE COM interface.
For example if I were to have an tag and I wanted to use the $tagobject.innerhtml to retrieve the html inside the frame tag, what is the best way of going that this?
Native code running at full trust (e.g. an IE plugin) can interact with any document loaded in the browser. You're correct to note that interacting with subframes that are from an origin different than the top-level page is blocked by security policy when accessed in the "simple" way. But native code can circumvent that.
This support article shows how to enumerate the contents of all frames, regardless of their origin. The basic idea is that you cast the top-level document to an IOleContainer and then enumerate its children, which bypasses the security check.
We need to force a particular web application to launch in the Notes browser regardless of the browser option the user has chosen. This also ideally needs to be launched from some LotusScript code.
I haven't been able to find a way of doing it so any suggestions would be appreciated.
There's unfortunately no way to force the Notes browser via LotusScript. However, you could look into using policies to restrict the user's default browser: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/03062008102616AMWEBL4Y.htm
If it is possible, I suggest taking a different approach. This likely can't be solved via a technical solution (i.e. the user could always find a way to open the URL in a non-Notes browser if they are motivated to do so). Therefore I would make the recommendation to the user that the application only works via the Notes browser, and leave it up to them to do the right thing. Do that either by training, or putting a message on the web application, etc.
Another idea, if you have control over the web application, is that you could check the browser's User Agent for the keyword "Lotus Notes", and disallow anyone non-Notes browsers from using the application.
Oddly enough I have the issue you want to emulate happening on a Mac. I am not sure at this time if this is expected behavior though (still investigating).
I have a database rendering an XPage on the client. The link is in a rich text field. When the link is clicked it opens in the same tab in the Notes client, instead of the system browser (which is set in the Notes client).
Using Call notesUIWorkspace.URLOpen( Url$, reload%, urlList%, charset$, webusername$, webpassword$, proxywebusername$, proxywebpassword$, notesRetriever )
specifying true for notesRetriever, will open the browser page IN notes (whatever user config).
Don't expect too much of this since this will require the retriever process to run on the Domino server.
I bet your application won't work using a reriever.
In my a web application, I have a part to invoke an activex control .The Activex control is available in all the client PCs who are accessing my web application from web server. But When trying to run this ActiveX control from the browser in client machine (using Wshell), It was not getting invoked since "Run Activex Controls and Pluggins" are disabled in my browser. So I changed the browser settings to enable mode and Then the Activex control gave me the expected output. I afraid that this change in browser settings would allow any other website to harm my system. How could I get rid of this problem? Any thoughts? Thanks in advance
There had been a lotta secutiry changes introduced from Vista + IE7 onwards. Where in the IE starts in the procted mode, which helps protect users from attack by running the Internet Explorer process with greatly restricted privileges. Protected Mode significantly reduces the ability of an attack to write, alter or destroy data on the user's machine or to install malicious code.
More details : http://msdn.microsoft.com/en-us/library/bb250462.aspx#wpm_aarwm
So developers have to modify the applications to confirm to the new standards like starting the process from the plugin - sending widows messages from LI(Low Intergirty) to HI process etc.
You can digitally sign your ActiveX so that users do not have to compromise the security of their browser too much in order to allow it to run. But, essentially, ActiveX isn't very secure and these problems always pop up when you choose ActiveX...
I know this might be a no-brainer, but please read on.
I also know it's generally not considered a good idea, maybe the worst, to let a browser run and interact with local apps, even in an intranet context.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion. These folks are not particularly tech savvy; I don't even consider thinking that they could understand the difference between remote delivered applications and local ones.
So, I've been asked if it's possible. Of course, it is, with IE's good ol' ActiveX controls. And I even made a working prototype (that's where it hurts).
But now, I doubt. Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone? People will use the same browser to surf the web, can I fully trust IE? Isn't there a risk that Microsoft would just disable those controls in future updates/versions? What if a website, or any kind of malware, just put another site on the trust list? With that extent of control, you could as well uninstall every protection and just run amok 'till you got hanged by the IT dept.
I'm about to confront my superiors with the fact that, even if they saw it is doable, it would be a very bad thing. So I'm desperately in need of good and strong arguments, because "let's don't" won't do it.
Of course, if there is nothing to be scared of, that'll be nice too. But I strongly doubt that.
We use Citrix for home-office, and people really like it. Now, they would like the same kind of environment at work, a nice page where every important application/document/folder is nicely arranged and classified in an orderly fashion
I haven't used Citrix very many times, but what's it got to do with executing local applications? I don't see how "People like Citrix" and "browser executing local applications" relate at all?
If the people are accessing your Citrix server from home, and want the same experience in the office, then buy a cheap PC, and run the exact same Citrix software they run on their home computers. Put this computer in the corner and tell them to go use it. They'll be overjoyed.
Isn't it madness to allow such 'dangerous' ActiveX controls, even in the 'local intranet' zone ? People will use the same browser to surf the web, can I fully trust IE ?
Put it this way. IE has built-in support for AX controls. It uses it's security mechanisms to prevent them from running unless in a trusted site. By default, no sites are trusted at all.
If you use IE at all then you're putting yourself at the mercy of these security mechanisms. Whether or not you tell it to trust the local intranet is beside the point, and isn't going to affect the operation of any other zones.
The good old security holes that require you to reboot your computer every few weeks when MS issues a patch will continue to exist and cause problems, regardless of whether you allow ActiveX in your local intranet.
Isn't there a risk that Microsoft would just disable those controls in future updates / versions ?
Since XP-SP2, Microsoft has been making it increasingly difficult to use ActiveX controls. I don't know how many scary looking warning messages and "This might destroy your computer" dialogs you have to click through these days to get them to run, but it's quite a few. This will only get worse over time.
Microsoft is walking a fine line. On one hand, they regularly send ActiveX killbits with Windows Update to remove/disable applications that have been misbehaving. On the other hand, the latest version of Sharepoint 2007 (can't speak for earlier versions) allows for Office documents to be opened by clicking a link in the browser, and edited in the local application. When the edit is finished, the changes are transmitted back to the server and the webpage (generally) is refreshed. This is only an IE thing, as Firefox will throw up an error message.
I can see the logic behind it, though. Until Microsoft gets all of their apps 'in the cloud', there are cases that need to bridge the gap between the old client-side apps and a more web-centric business environment. While there is likely a non-web workaround, more and more information workers have come to expect that a large portion of their work will be done in a browser. Anything that makes the integration with the desktop easier is not going to be opposed by anyone except the sysadmins.
The standard citrix homepage (or how we use it) is a simple web page with program icons. Click on it, and the application get's delivered to you. People want the same thing, at work, with their applications/folders/documents. And because I'm a web developer, and they asked me, I do it with a web page... Perhaps I should pass the whole thing over to the VB guy..
Ahh... I know of 2 ways to accomplish this:
You can embed internet explorer into an application, and hook into it and intercept certain kinds of URL's and so on
I saw this done a few years ago - a telephony application embedded internet explorer in itself, and loaded some specially formatted webpages.
In the webpage there was this:
Call John Smith
Normally this would be a broken URL, but when the user clicked on this link, the application containing the embedded IE got notified, and proceeded to execute it's own custom code to dial the number from the URL.
You could get your VB guy to write an application which basically just wraps IE, and has handlers for executing applications. You could then code normal webpages with links to just open applications, and the VB app would launch them. This allows you to write your own security stuff (like, only launch applications in a preset list, or so on) into the VB app, and because VB is launching them, not IE, none of the IE security issues will be involved.
The second way is with browser plug-ins.
For example, skype comes with a Firefox plug-in, which looks for phone-numbers in web-pages, and attaches special links to them. When you click on these links it invokes skype - you could conceivably do something similar for launching your citrix apps.
You'd then be tied to firefox though. Writing plugins for IE is much harder than for FF, I wouldn't go down that path unless forced to.